![](https://nordcloud.com/wp-content/uploads/2022/05/navy-blue-bgr.jpg)
Securing and standardising Google Cloud infrastructure with Terraform Sentinel.
Introduction
This article demonstrates how to set up a solution for securely automating Google Cloud services while ensuring compliance standards. One of our clients had already established a secure and well-governed Google Cloud. Although the migration of critical applications and data was still pending, the project focused on automating Google Cloud services using Terraform Cloud with Sentinel policies.
Cloud computing presents challenges, particularly in maintaining security. Therefore, this blog post focuses on using Terraform Sentinel policies to secure and enforce compliance within their cloud setup, and we will explore as well why our customer chose to use integrate it into their cloud automation strategy. I’ll also provide simplified explanations of how these policies help maintain safety within the cloud environment. So let's dive into how automation, rules, and security come together in the world of Google Cloud.
Back to Basics: Understanding Terraform Sentinel
But before diving deeper, let's quickly recap: What exactly is Terraform Sentinel again?
Terraform Sentinel is a policy as code framework embedded in HashiCorp’s enterprise products, such as Terraform Cloud (TFC) or Terraform Enterprise (TFE) . It enables our customers to enforce compliance, security, and operational best practices across their infrastructure provisioning workflows (as outlined below). Essentially, Sentinel allows users to define and enforce rules and policies for Terraform configurations. These policies can range from enforcing naming conventions to ensuring resource configurations comply with the company's security standards. By embedding Sentinel policies directly into Terraform workflows, we can automate the validation and enforcement of policies, by reducing the risk of misconfigurations and ensuring consistency across their infrastructure deployments.
![](https://nordcloud.com/wp-content/uploads/2024/12/Screenshot-2024-12-27-at-13.12.29.png)
To wrap up, it provides a powerful mechanism for governing infrastructure as code deployments, promoting security, compliance and consistency within cloud environments.
Integration with Google Cloud Services
Managing and governing Google Cloud resources with Terraform Sentinel
Terraform Sentinel provides granular control over Google Cloud resources, ensuring compliance, security, and best practices. For instance, organisations can define policies to ensure that all Google Compute Engine (GCE) instances adhere to specific machine types, network tags, and IAM permissions, while also mandating naming conventions and encryption at rest for sensitive data stored in Cloud Storage buckets.
Additionally, note that Sentinel policies can span multiple Google Cloud services, allowing our customers to enforce cross-service rules and dependencies. Let’s say for example, that we have a Sentinel policy that might ensure that resources provisioned in GCE are associated with corresponding firewall rules or that Cloud Storage buckets are configured to trigger specific actions in Cloud Functions upon object uploads.
Long story short, let’s take a closer look to the policy code example I took from the official HashiCorp repository on GitHub. In this example, all GCE instances must have machine types from an allowed list:
import "tfplan/v2" as tfplan
# Find all resources of a specific type using the tfplan/v2 import.
find_resources = func(type) {...}
# Filter a list of resources to those with a specified
filter_attribute_not_in_list = func(resources, attr, allowed, prtmsg) {...}
# Allowed GCE Instance Types
allowed_types = ["n1-standard-1", "n1-standard-2", "n1-standard-4"]
# Get all GCE instances
allGCEInstances = plan.find_resources("google_compute_instance")
# Main rule
main = rule {
# Filter to GCE instances with violations
violatingGCEInstances = plan.filter_attribute_not_in_list(allGCEInstances,
"machine_type", allowed_types, true)
}
The main part of the script, which is written in a domain-specific language called “Sentinel”, analyses the terraform plan (tfplan/v2
) and retrieves all GCE instances, filters them based on their machine type attribute not being in a predefined list of allowed types, and prints out any violations.
![](https://nordcloud.com/wp-content/uploads/2024/12/Screenshot-2024-12-27-at-13.15.21.png)
Customer Use Case
Securely managing Google Cloud resources
Challenge: In addition to the goal of using exclusively open-source modules, our customer faced significant maintenance issues with their custom Terraform modules. With various teams engaged in provisioning resources, the challenge of maintaining these modules added further complexity to their infrastructure management.
Solution: Together with the customer, we implemented Terraform Sentinel policies to enforce security standards across Google Cloud resources. Policies were defined to validate resource configurations, ensuring that all instances, storage buckets, and networking components met strict security requirements. Furthermore, we enforced strict naming conventions to maintain consistency and clarity throughout their cloud environment.
Outcome: By integrating Sentinel policies into their Terraform workflows, we achieved greater visibility and control over the cloud infrastructure. We are confident that security incidents related to misconfigured resources will be significantly reduced in the future. Additionally, it will lead to improved compliance and reduced risk of exposure.
Best practices for provisioning and managing resources with Terraform Sentinel
Here are some best practices which we have aimed to achieve together with our customer to optimise infrastructure deployments on their Google Cloud environment while ensuring security and compliance.
Define granular policies: Granular Sentinel policies for Google Cloud resources address individual configuration aspects, enabling targeted security and compliance enforcement across diverse resource types.
Leverage Policy-as-Code Paradigm: By integrating Sentinel policies with IaC templates, organisations ensure version control, auditability, and consistency in policy enforcement across environments.
Implement continuous compliance monitoring: Integrate continuous compliance monitoring by evaluating Google Cloud resources against Sentinel policies and integrating checks into CI/CD pipelines for automated validation pre-deployments.
Collaborate across teams: Collaboration between infrastructure and security teams is essential to develop and maintain Sentinel policies effectively, ensuring alignment with business objectives and regulatory requirements.
Regularly review and update policies: Regularly review and update Sentinel policies to adapt to evolving security threats, compliance standards, and organisational needs, ensuring effectiveness and relevance.
Monitor policy enforcement and effectiveness: Monitor policy enforcement and effectiveness using comprehensive logging and monitoring tools, leveraging Google Cloud's capabilities to track evaluation results and detect anomalies.
Comparing Terraform Sentinel with Google Cloud's Native Policies
Towards the end, you might be wondering, how does leveraging Terraform Sentinel alongside Google Cloud's native capabilities compare with Google-native policies?
Well Sentinel policies basically complement Google Cloud's native policies by providing more flexibility and customisation. You have more granular control over resource configurations. Sentinel policies enable targeted enforcement of security and compliance standards across various resources and deployments. Additionally, Terraform Sentinel ensures consistency across multiple cloud providers, simplifying policy management for organisations with multi-cloud environments, as it was the case with our customer.
Conclusion
In conclusion, the combination of Terraform Sentinel and Google Cloud's native policies offers organisations a powerful solution for achieving comprehensive security and compliance without compromising operational efficiency. By leveraging both tools together, organisations can achieve comprehensive security and compliance while maintaining operational efficiency.
Reference
- Sentinel Docs:
Sentinel | HashiCorp Developer - Terraform Sentinel Docs:
HCP Terraform policy enforcement overview | Terraform | HashiCorp Developer - GitHub Repository with Sample Terraform Sentinel Policies for GCP
terraform-guides/governance/second-generation/gcp at master · hashicorp/terraform-guides
Get in Touch.
Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.
![](https://nordcloud.com/wp-content/uploads/2024/04/ilja-summala-1.png)